In this example you will look inside the headers of the HTTP and HTTPS packets on your network.
Packet capture is also called a network tapping, packet sniffing, or logic analyzing.
To use packet capture, your FortiGate model must have internal storage and disk logging must be enabled. If you are not sure whether your model supports disk logging, check the FortiGate Feature/Platform Matrix.
Find this recipe for other FortiOS versions
5.2 | 5.6
1. Creating packet capture filters |
|
|
Go to Network > Packet Capture and create a new filter.
If the Packet Capture option does not appear in the main GUI, you can also use the URL https://[management-IP]/ng/page/p/firewall/sniffer/ to access this menu, substituting the correct IP address.
|
|
|
The simplest filter just captures all of the packets received by an interface. This filter captures 10 packets received by the lan interface.
|
 |
|
You can select Enable Filters to be more specific about the packets to capture.
This filter captures 100 HTTP and HTTPS packets (port 80 and 443) received by the lan interface that have a source or destination address in the range 192.168.100.100-192.168.100.200.
|
 |
|
This filter captures the first 4000 Stream Control Transmission Protocol (SCTP) packets received by the wan1 interface. |
 |
 |
|
2. Results |
|
|
Running packet capture filters may affect FortiGate performance. Go to Network > Packet Capture, choose a filter, and select the Play icon. You can watch the filter capture packets. When the number of packets specified in the filter are captured the filter stops. You can stop and restart multiple filters at any time. |
 |
|
After a filter runs, select and edit it. The option to download the capture packets is available. |
 |
|
You can open the file with a .pcap file viewer like Wireshark. |
 |
For further reading, check out Packet Capture in the FortiOS 5.6 Handbook.
The post Packet capture appeared first on Fortinet Cookbook.